search

kedacore / keda

KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes
https://keda.sh
Apache License 2.0
8.38k stars 1.06k forks source link

Add ability to fetch auth token from k8s secret for HashiCorp Vault #5194

Open kmdrn7 opened 10 months ago

kmdrn7 commented 10 months ago

Proposal

Fetch vault token directly from kubernetes Secret object, like how AzureKeyVault does while fetching the clientSecret

Use-Case

In order to use custom credentials for autoscaling purpose, I need to supply custom vault token to the TriggerAuthentication without changing the target Deployment manifest (eg: including the token as env var). Afaik, I'm only able to do it via plaintext in the manifest like this:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: webserver
spec:
  hashiCorpVault:
    address: http://vault.default:8200
    authentication: token
    credential:
      token: ====the-token====
    secrets:
    - key: value
      parameter: connection
      path: secret/webserver/pgconn

Can we add the feature to HC Vault resolver so it will be able to fetch the auth token from the kubernetes Secret directly? updated manifest would be like this:

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: webserver
spec:
  hashiCorpVault:
    address: http://vault.default:8200
    authentication: token
    credential:
      tokenSecret:
        valueFrom:
          secretKeyRef:
            key: token
            name: vault
    secrets:
    - key: value
      parameter: connection
      path: secret/webserver/pgconn

I'm not sure if introducing this new field would result in a breaking change. Therefore, for compatibility reasons, the new field is named tokenSecret instead of token

Is this a feature you are interested in implementing yourself?

Yes

Anything else?

No response

tomkerkhove commented 10 months ago

Fair ask!

Are you willing to contribute this?

kmdrn7 commented 10 months ago

Yes, I would like to contribute on this feature

tomkerkhove commented 10 months ago

Wonderful, thank you!

stale[bot] commented 8 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

zroubalik commented 8 months ago

Any update on this please?

kmdrn7 commented 8 months ago

will update the progress in next few days